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Introduction Model checking has been widely successful in validating and debugging hardware de- 
signs and communication protocols. However, state-space explosion is an intrinsic problem which limits 
the applicability of model checking tools. To overcome this limitation software model checkers have 
suggested different approaches, among which abstraction methods have been highly esteemed, modern 
techniques. Among others, predicate abstraction is a prominent technique which has been widely used in 
modern model checking. This technique has been shown to enhance the effectiveness of the reachability 
computation technique in infinite-state systems. In this technique an infinite-state system is represented 
abstractly by a finite-state system, where states of the abstract model correspond to the truth valuations of 
a chosen set of atomic predicates. Predicate abstraction was first introduced in (H as a method for auto- 
matically determining invariant properties of infinite-state systems. This technique involves abstracting 
a concrete transition system using a set of formulas called predicates which usually denote some state 
properties of the concrete system. 

The practical applicability of predicate abstraction is impeded by two problems. First, predicates 
need to be provided manually iTTTl PTTl . This means that the selection of appropriate abstraction predicates 
is based on a user-driven trial-and-error process. The high degree of user intervention also stands in the 
way of a seamless integration into practical software development processes. Second, very often the 
abstraction is too coarse in order to allow relevant system properties to be verified. This calls for abstrac- 
tion refinement [6 ], often following a counterexample guided abstraction refinement scheme [EJ0. Real 
time models are one example of systems with a large state space as time adds much complexity to the 
system. In this event, recently there have been increasing number of research to provide a means for the 
abstraction of such models. It is the objective of this paper to provide support for an automated predicate 
abstraction technique for concurrent dense real-time models according to the timed automaton model 
of HI. We propose a method to generate an efficient set of predicates than a manual, ad-hoc process 
would be able to provide. We use the results from our recent work (2l to analyze the behavior of the 
system under verification to discover its local state invariants and to remove transitions that can never be 
traversed. We then describe a method to compute a predicate abstraction based on these state invariants. 
We use information regarding the control state labels as well as the newly computed invariants in the 
considered control states when determining the abstraction predicates. We have developed a prototype 
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tool that implements the invariant determination. Work is under way to also implement the computa- 
tion of a predicate abstraction based on our proposed method. We plan to embed our approach into a 
comprehensive abstraction and refinement methodology for timed automata. 

Related Work. An interactive method for predicate abstraction of real-time systems where a set of 
predicates called basis is provided by the user is presented in |6j. The manual choice of the abstraction 
basis depends on the user's understanding of the system. The work presented in |[T5l [161 proposes an 
abstraction method which is based on identifying a set of predicates that is fine enough to distinguish 
between any two clock regions and which creates a strongly preserving abstraction of the system. The 
basis predicates are discovered by spurious paths obtained through model-checking of the system. Also, 
in this approach the choice of the original set of predicates relies on the user's understanding of the 
system, as well as on the counterexample generation experiments. To the best of our knowledge, at the 
time of writing, there has been no research done on automatically generating invariants (predicates) for 
dense real time models, which will be the central contribution of our paper. 

In the functional setting the CEGAR methodology based on the seminal paper [51] has been rather 
influential in the development of hard- and software verification methodologies, e.g., 0. Abstraction 
predicate discovery based on the analysis of spurious counterexamples is at the heart of the work in Q. 
The approaches presented in iTTOl IT3Tl and in @ use interpolation to detect feasibility of an abstract trace. 
lTT4l introduces a proof-based automatic predicate abstraction. 

1 Preliminary Definitions and our Previous Results 

Timed Automata. To have this article self-contained we need to briefly explain some of the results 
in |2j. A timed automaton HOD. consists of a finite state automaton together with a finite set of clock 
variables, simply called clocks, and a finite set of integer variables. In the notation we distinguish clock 
and integer variables only where necessary. Clocks are non-negative real valued variables which all 
increase at the same speed, while integers change only when there is an explicit assignment. Initially, all 
clocks are set to 0. A clock may be reset, but afterwards it immediately starts running again. The finite 
state automaton describes the system control states of the system, which are referred to as locations, as 
well as its transitions between locations. A state or configuration of the system has the form (l,u) where 
/ is the current control location and u is a valuation function which assigns to each its current value. For 
we denote by u + d a valuation that assigns to each clock x the value u(x) + d, i.e., it increases the 
value of all clocks by d, while the integer variables remain unchanged. G(X) denotes the set of (clock or 
integer) constraints g for a set X of clock variables. Each g is of the form g := x < t \ t < x \ ->g \ gi /\g2, 
where x G X, and t, called term, is either a variable in X or a linear integer expression, which is an 
expression of the form c + £" =1 c; • x; where the Xj are integer variables and c and c/ are integer constants^ 
We usually write s < t for -i t < s. By var(g) we denote the set of all clock variables appearing in g. 
Formally, a timed automaton si is a tuple (L,Iq,L,X,J^,E) where 

• L is a finite set of (control) locations. Iq £ Lis the initial location. 

• £ is a finite set of labels, called events or channels. 

• X is a finite set of variables. 

• : L — >G(X) assigns to each location in L some constraint in G(X). 



The restriction to integers does not constitute a loss of generality (JJ Section 4.1]. 
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• E C L xL x2 x x G(X) x L represents discrete transitions. 

The constraint associated with each location / £ L is called its invariant, denoted We later refer 
to these invariants as the original invariants. Time can pass in a control location / only as long as -^(1) 
remains true, i.e. ^(l) must hold whenever the current location is /. The semantics of a nondeterministic 
timed automaton si is defined by a transition system y^. States or configurations of are pairs (I, u), 
where / € L is a control location of si and u is a valuation over X which satisfies -J? {I), i.e. u \= -^(1). 
(Zo,m) is an initial state of if Iq is the initial location. 
Transitions. For each transition system the system state changes by: 

• Delay transitions, denoted by d, which allow time <i€lR + to elapse. The value of all clocks is 

increased by d leading to the transition (l,u) -—> (l,u + d). El This transition can take place only 
when the invariant of location / is satisfied along the transition, i.e. Md 1 < d : u + d' \= J* (I). 

• Discrete transitions, denoted by X, which enable a transition. A transition x is enabled when the 
current clock valuation satisfies G T . When x is executed, all variables, except those which are 
reset, remain unchanged. This results in the transition x := (l,u) — -> (l',u') where a is an event, g 
is a guard and r is a reset. 

An execution of a system is a possibly infinite sequence of states (/, u) where each pair of two consecutive 
states corresponds to either a discrete or a delay transition. 

Creating New Invariants by CIPM. Here, we explain briefly the CIPM algorithm from This 
algorithm strengthens the given original invariants in each control location by analysing the incoming 
discrete transitions to that specific control location; It also reduces the size of the model by pruning away 
those transitions which can never be traversed. The input of the CIPM algorithm is a timed automaton 
si ', the output is si's pruned version together with a set of new invariants for si. 

A discrete transition x : (l,u) — >(l',u'} is called idle if it can never be enabled. Amongst other 
reasons, a transition can be idle when the constraint over the transition is unsatisfiable, or when the 
valuation function obtained from the transition does not satisfy the invariant of the target location, which 

means that u' \£ J' {I')- For instance, if x is the discrete transition (l,u) ^> (l',u') where x > y + 3 is an 
invariant in location /, then this transition is idle since the constraint x < y is never satisfied. 

At each control location /,-, CIPM first collects the set ^(U) of all the original invariants, and then 
accumulates all its incoming transitions in m trans(/,-, s K/). The idle transitions within these sets are iden- 
tified and are deleted from the model. 

For each non-idle X in in trans(/ ! -, s e/) the algorithm next computes all propagated constraints into 
Since may also have some original invariant, the new invariant, i.e. is the conjunction of the 

original invariant and all of the previously computed imposed constraints on Computing J'^ili) may 
render some of the outgoing transitions of /,• idle. Therefore, the algorithm next checks all outgoing 
transitions of /, for idleness again. It then removes all transitions detected as being idle. Two timed 
automata si and sif\ are equivalent, denoted si =si\ , if they differ only in some idle transitions. 

Theorem 1.1 CIPM always terminates. It also satisfies the following properties: 

• jfCIPM(M) = O',^) then si=s/ h 

• IfC\PM(sii) = (si, JPgf), then u\= .J?^ (I), for each reachable state (l,u) inS^^\. In other words, 
JP#t(f) is invariant in I. 



2 Recall that the integer variables remain unchanged. 
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Figure 1 : Example from |[T5l 



Figure 2: After applying CIPM 



Networks of Timed Automata. CIPM can also be used to treat networks of timed automata in which 
several parallel automata synchronize with one another via synchronous message passing. Transitions 
associated with emitting or receiving a message of type a are labeled with la or la, respectively. The 
intuitive semantics of a synchronous message passing is such that the message sending and the message 
receiving primitives are blocking and executed in a rendez-vous manner. 

Formally, the semantics of this kind of synchronization is defined as follows. Let A = (L, Z°,Z,X, ,E) 
be a parallel composition of n timed automata &fi,...,£/ n , denoted by srf = g/\\\ ... \s£ n , where ^ := 
(Li,lf ,2<i,Xi, J?i,Ei) for each 1 < i < n and for each two non-equal i and j XjdXj = 0. For A we have 
X = \Ji<i< n x h £ = (Ji<k„£ ; -, and J (I) = Ai<;<„^(^) for 1= (l\,...,l n ). The initial location is de- 
noted by 1° = (I®, . . . ,/,,). A state of the network is a configuration (/, u) where (h,Ui) is a configuration 
in and u{x) = Uj(x) for each x G X,- and 1 < i < n. l[h/l-] denotes the replacement of /; by /• in I, 
which is /[/,//•] = (h, ■ ■ ■ l'i,h+i ,---Jn)- Delay transition in this systems is defined as before. Other 
transitions are: 

• Discrete transitions: If (/;,«,-) (^X) then X := (l,u) c ^-t (l[lj/l-],u') is a discrete transition in 
the network model if u' \x)=u' j {x) for x£X, and u'{x)=u(x) for x ^ Xj. 

• Synchronization transitions: If (/;,«,-) ^+ and (lj,Uj) '^i {lj,u'j) then x := (l,u) — >(J[li/l[,lj /l'j\,u') 
is a discrete transition in the network model if u'{x) = u' k {x) for k S {i,j} and x € X^, and u'(x) = 

u{x) for x ^ Xjc. 

We first run the CIPM algorithm over each automaton individually. We then compose the pruned 
automata to obtain a pruned network. Conjuncting the newly generated invariants within the individual 
automata yields new invariants for the network: 

Theorem 1.2 Assume si = s/\\\.. . \\s/ n is a network of timed automata where CIPM(i2^) = (s/- , J^J) 
for each 1 <i<n, and s/' = s/{\\ . . . Then we will have sf =s/' and f\i<i< n ^st'iik) iJ invariant 
in 1= (h,...,l n ). 

Example Figures [TJ and |2] show an example of a timed automaton si in (15] [161, also the outcome of 
applying CIPM on it. 

Example The example depicted in Figure [3] includes synchronization. Running the CIPM algorithm 
on si\ would result in the automaton sii depicted in Figure @] The algorithm would not change S3\ . 
However the parallel composition of si2 and S3\ would lead to the parallel automata in Figure @] This 
is because by Theorem ll.ll .g/i ||Bi=A2||#i and according to the definition of synchronization transitions 
A2||fii=A2||B2- As the figure depicts any configuration of the form ((li,Sj),u) for i = 4 or j = 1 is 
unreachable in sii\3$2- Therefore, according to Theorem ll.2l any such configuration is also unreachable 
in M| 
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Figure 3 : Parallel composition. Figure 4. After applying C I P M . 

2 Predicate Abstraction, New Results and the Ongoing Work 

In this section, we introduce a method for using the invariants generated by CIPM in order to build 
an over-approximating predicate abstraction of the original timed automaton. We consider the abstract 
states not as Boolean vectors over the designated set of abstraction predicates, but rather as pairs of 
control locations and conjuncted, positive or negative predicates. In the sequel we will explain this in 
more detail. 

A cube q over P = {/?o> ■■■,Pn}, called a minterm in lfl2l . is a conjunction AcxKnA' over tne elements 
of P and their negations, i.e. each p t is equivalent to either p t or its negation p t . For example x < Ay > 
2 Az = 3 is a cube over {x > 0,y < 2,z = 3}. cube(P) denotes the set of all cubes over P. In the sequel 
we assume that CIPM^i) = (<e/, J ! ^) for a real time model srf\, and our intention is to explain how to 
generate a predicate abstraction for . Without loss of generality, in the remainder of the paper we use 
^(/^ for atom (/,•))■ 

States of abstg/. The set J* := Uo<i<||a|| ^/(k) is a collection of all invariants JV('i)- Our predi- 
cate abstraction over (srf, ^si), denoted abstg/, is a finite state automaton where states are pairs like 

Qi, A P e,^(l,)P A NpE,^Ah)P) for °<i< IMI- 

Spurious counterexamples when searching in the abstract state space are often due to invariant vi- 
olations in the concrete model. In order to reduce the risk of generating spurious counterexamples we 
associate with each control location /, its invariant as generated by CIPM. These invariants are gathered 
in We first pair up each control location to its own invariant. Then we add the rest of the cubes 

from ,y\.y s rf{li) to the pair. During construction of the abstraction each configuration (lj,u) from the 
concrete model is abstracted to a abstract state in which ^^{k) holds. 

Let us consider cube, as the set of all cubes over <#\J r s #{li) which are satisfiable in conjunction with 
the predicates in (/,-): 

cube,- :={q\qe cube(J^\jV(7;)) and ( A p) A q is satisfiable}. 

For each q € cube,- we denote by [U,q] the abstract state (/,-, (A P ejV(/;) P) A [k, q] abstracts all config- 
urations (li,ui) in the concrete model £/ whose valuation U[ satisfies q, i.e. u\ \= q. 

Example Let us continue with the first example (Figure|2]). According to the example, we have J^(Zo) = 
{y < 1}, S*(h) = {x< y}, Jtrfih) = {y<x} and hence, J = Uo<;<||A|| = &< M < y,y < *}• 
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We use pj to denote the invariant corresponding to the location /,-, therefore: cube(^\J r #/(lo)) = {pi A 
P2,PiAp2,piAp2,PiKp2}cube(S\Sj*(h)) = {poAp2,poAp2,poAp2,PoAp2} cube(j^\j^ c/ (/ 2 )) = 
{po A pi,p~o A p\,po A pi,po A pi} Some of these combinations are unsatisfiable, for instance p\ A pj- 
After removing such combinations and eliminating the 'A' symbol, for simplicity, we obtain: cubeo = 
{p~iP2,P\P~2}, cubei = {pop~2,P~oP2}, and cube2 = {popi ,poPi }■ As illustrated in Figure [5] these three 
sets build an abstract model a bst^ which consists of six states for example like {lo,PoP\p~2), (h,PiPoP~2)- 
As we shall see later on, the dashed line in this figure identifies unreachable states. 

Transitions of abst -a / In abst.^ we execute a transition from a state [k,q] to a state [lj,q'\ only when one 
of the following conditions holds in the concrete model srf: 

• there are two valuations ut and Uj and a non-idle transition {h,Uj) (lj,Uj) where Ui \= q and 
Uj \= q', or 

• lj is identical to l[, and there is a delay transition «,) — —> (/,-,it,- + <i) for some valuation Uj such 
that Uj \= q and ut + d \= q'. 

Let next ([/,,#]) denote the set of all successor states of [h,q] in abst^, then with respect to definition 
above: 

x/d 

next([lj,q]) '={[lj,q] | 3t or d : (k,Ui) — ► (lj> u j) such that 

«iM A p)Aq and uj\=( /\ p)Aq'}. (2) 

Recall that z is a discrete and d is a delay transition. 

Since abst ^ is an abstraction of srf, each of its transitions should have a counterpart in the original 
model srf. This means that whenever [lj,q ! ] € next ([//,#]), there must exist a non-idle transition from at 
least one of the corresponding concrete states of [lj,q] to that of [lj,q]'). Such a transition needs to satisfy 
all the invariants of the source location and also all the invariants of the target location. Also if there is a 
reset for some variable, the new value of the respective variable should satisfy the invariant of the target 
location: 

Lemma 2.1 Assume that abst^/ is an abstraction of srf with respect to some set of predicates P. There 
is a transition from [lj,q] to [lj,q'] in abst^/, i.e. [lj,q'] £ next ([/,•,#]), if and only if one of the conditions 
below holds: 

1. there are two clock valuations Uj and uj, and a non-idle transition X : — >(lj,Uj) in the 
concrete model such that: 

(a) Uj \= q and uj (= q'. 

(b) i/G T 7^0 then G T A q is satisfiable, 

(c) ifG T/ /R T 7^ then G t /r t A q' is satisfiable, 

(d) if R T ^ then atom(R T ) A q' is satisfiable, 

(e) for all variables x ^ var(R r ) Uvar(G T ), w,(x) = uj(x). 

2. lj = lj and 3d, Uj : (Z; , it,-) — > (h,Uj + d) where U{ \= q and Ui + d\= q'. 

The next theorem shows that in order to establish a predicate abstraction for the original concrete model 
s4\ it is enough to do so for the pruned equivalent version obtained from an application of the CIPM 
algorithm: 
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Figure 5: The states of abst^ Figure 6: abst^, predicate abstraction of sf. 

Theorem 2.2 If CIPM(M) = {&t then absV=abst^. 

The cube pop\p2 has caused two different abstract states in Figure [5] This is because po and p\ are 
invariants of Zo and l\, respectly, and therefore coupled with them in the abstract model. The dashed 
line in this figure depicts the set of unreachable abstract states of the first example. These states are 
unreachable since they correspond to some unreachable concrete states in stf (cf. Lemma |2TTT >. Using 
Lemma [2TT1 to compute the transitions in the abstract model, one would obtain Figure [6] as the initial 
predicate abstraction of si '. For instance from (lo,poP\P2) there is a transition to (lo,poPiP~2) because 
the transition (lo,u) — -> (lo,u ! ) fullfils Lemma I2TT1 

In the following we give a simple succinctness analysis of our approach: Each timed automaton has 
a finite number of control locations, \\&/\\. We associate with each location /, at most ||cube;|| abstract 
states. This way the number of the abstract states is at most £o<i<||,s/|| ll cu ber|| in the worst case. In the 
example depicted in Figure [51 this number is 2 + 2 + 2 = 6. By pruning the original model using CIPM 
and also with respect to Lemma I2TT1 this number reduces to 4 abstract states, see Figure[6] With neither 
detecting the idle transitions nor pairing the control locations with their invariants, in the abstraction 
facet, one would have gotten 3x4=12 abstract states where 4 is the number of distinguished satisfiable 
cubes and 3 is the number of control locations. This number would have even raised to 3 x 2 3 = 24 
abstract states if no satisfiability check on the cubes was done. 
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